diff --git a/cdist/conf/type/__acl/gencode-remote b/cdist/conf/type/__acl/gencode-remote
index f4f0d1e2..70a46af5 100755
--- a/cdist/conf/type/__acl/gencode-remote
+++ b/cdist/conf/type/__acl/gencode-remote
@@ -28,7 +28,17 @@ acl_path="/$__object_id"
 
 acl_is="$( cat "$__object/explorer/acl_is" )"
 
-if [ -f "$__object/parameter/entry" ]
+if [ -f "$__object/parameter/source" ]
+then
+    acl_source="$( cat "$__object/parameter/source" )"
+
+    if [ "$acl_source" = '-' ]
+    then
+        acl_should="$( cat "$__object/stdin" )"
+    else
+        acl_should="$( grep -Ev '^#|^$' "$acl_source" )"
+    fi
+elif [ -f "$__object/parameter/entry" ]
 then
     acl_should="$( cat "$__object/parameter/entry" )"
 elif [ -f "$__object/parameter/acl" ]
diff --git a/cdist/conf/type/__acl/man.rst b/cdist/conf/type/__acl/man.rst
index c3493e49..e7ef9579 100644
--- a/cdist/conf/type/__acl/man.rst
+++ b/cdist/conf/type/__acl/man.rst
@@ -19,6 +19,14 @@ entry
    Set ACL entry following ``getfacl`` output syntax.
 
 
+OPTIONAL PARAMETERS
+-------------------
+source
+   Read ACL entries from stdin or file.
+   Ordering of entries is not important.
+   When reading from file, comments and empty lines are ignored.
+
+
 BOOLEAN PARAMETERS
 ------------------
 default
@@ -71,6 +79,10 @@ EXAMPLES
         --entry group:secret-project:rwx \
         --entry user:alice:r-x
 
+    # read acl from stdin
+    echo 'user:alice:rwx' \
+        | __acl /path/to/directory --source -
+
 
 AUTHORS
 -------
diff --git a/cdist/conf/type/__acl/parameter/optional b/cdist/conf/type/__acl/parameter/optional
index 4b32086b..12edcccb 100644
--- a/cdist/conf/type/__acl/parameter/optional
+++ b/cdist/conf/type/__acl/parameter/optional
@@ -1,2 +1,3 @@
 mask
 other
+source